Authentificering med SSL certifikater?

Den første artikel jeg linker til henviser til et muligt alternativ: Moxie Marlinspikes Convergece projekt: http://convergence.io/

Men jeg har ikek set nærmere på det.

Certifikater i DNS, sikret med DNSSEC, er en god erstatning for de billige certifikater, men det forhindrer ikke at nogen registrerer of certificerer danskebank.bk og på den måde laver et troværdigt phishing site. DNSSEC er en god ting og en nødvendig ting - men ikke en tilstrækkelig ting.

SSL Strip seems to be unrelated to how CA's works and what CA's are used for? It is a man-in-the-middle attack that depends on redirects between secure and insecure content?

How do you mean that DNSSEC depends on SSL certificates? SSL is partly broken due to DNS being unvalidated, not the other way around.

All systems depending on some information being secret or that some group of individuals can't be bribed can be compromised. If you want to give up now and be a Luddite be my guest, but then I don't think we have anything interesting to discuss.

Basically it is a discussion about risks and disaster recovery. So for the fun of it, let us compare DNSSEC and domain validated SSL certificates:

DNSSEC gives you a strict hierarchy of trust with one responsible entity at each level. With SSL certs you have about 600 CA's with blanket authority to issue any certificate they want.

DNSSEC have very well documented procedures for handling the root issuing key. I would guess that less than 1% of the CA's have the same level of public documentation and the procedures for becoming a generally acknowledged CA is even more obscure and semi-random.

DNSSEC makes it easy to revoke a compromised certificate within a configurable time-to-live. In theory SSL could be revoked instantly but in practice this is disabled. Revoking CA's are even harder as it often requires a security update the users should install.

Real end user support for DNSSEC is immature. For SSL end users are getting used to ignore a number of warnings. Not sure if this talks for or against any solution.

In general DNSSEC does not provide anything like extended validation certificates. This could be solved with "extended validation" TLD's. I'm not sure that the state of the 600 issuing CA's makes me trust EV SSL certs.

DNSSEC is not the final solution. Not even with DANE it will be the final solution. But it is a step ahead of 600 CA's with blanket authority to issue SSL certificates.

And where does Convergence fit into this?

I think it will be more of a policy engine than something entirely new. I think that the current CA structure will develop into a number of core notaries. The common mode of operation would be that if 5 out of 100 core notaries validate a certificate it will be considered validated.

This will be more robust than the current situation but require users to bye services from more notaries than the current single CA.

As a replacement of the current domain validated certificates I think that there will be a number of core notaries importing trust from DNSSEC based SSL certificates.

Power users might do something more, but I guess that the above will be the common default set up for normal users.